1 | /* |
2 | * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include "ssl_local.h" |
12 | #include <openssl/conf.h> |
13 | #include <openssl/objects.h> |
14 | #include <openssl/dh.h> |
15 | #include "internal/nelem.h" |
16 | |
17 | /* |
18 | * structure holding name tables. This is used for permitted elements in lists |
19 | * such as TLSv1. |
20 | */ |
21 | |
22 | typedef struct { |
23 | const char *name; |
24 | int namelen; |
25 | unsigned int name_flags; |
26 | unsigned long option_value; |
27 | } ssl_flag_tbl; |
28 | |
29 | /* Switch table: use for single command line switches like no_tls2 */ |
30 | typedef struct { |
31 | unsigned long option_value; |
32 | unsigned int name_flags; |
33 | } ssl_switch_tbl; |
34 | |
35 | /* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */ |
36 | #define SSL_TFLAG_INV 0x1 |
37 | /* Mask for type of flag referred to */ |
38 | #define SSL_TFLAG_TYPE_MASK 0xf00 |
39 | /* Flag is for options */ |
40 | #define SSL_TFLAG_OPTION 0x000 |
41 | /* Flag is for cert_flags */ |
42 | #define SSL_TFLAG_CERT 0x100 |
43 | /* Flag is for verify mode */ |
44 | #define SSL_TFLAG_VFY 0x200 |
45 | /* Option can only be used for clients */ |
46 | #define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT |
47 | /* Option can only be used for servers */ |
48 | #define SSL_TFLAG_SERVER SSL_CONF_FLAG_SERVER |
49 | #define SSL_TFLAG_BOTH (SSL_TFLAG_CLIENT|SSL_TFLAG_SERVER) |
50 | |
51 | #define SSL_FLAG_TBL(str, flag) \ |
52 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_BOTH, flag} |
53 | #define SSL_FLAG_TBL_SRV(str, flag) \ |
54 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_SERVER, flag} |
55 | #define SSL_FLAG_TBL_CLI(str, flag) \ |
56 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CLIENT, flag} |
57 | #define SSL_FLAG_TBL_INV(str, flag) \ |
58 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_BOTH, flag} |
59 | #define SSL_FLAG_TBL_SRV_INV(str, flag) \ |
60 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_INV|SSL_TFLAG_SERVER, flag} |
61 | #define SSL_FLAG_TBL_CERT(str, flag) \ |
62 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag} |
63 | |
64 | #define SSL_FLAG_VFY_CLI(str, flag) \ |
65 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag} |
66 | #define SSL_FLAG_VFY_SRV(str, flag) \ |
67 | {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag} |
68 | |
69 | /* |
70 | * Opaque structure containing SSL configuration context. |
71 | */ |
72 | |
73 | struct ssl_conf_ctx_st { |
74 | /* |
75 | * Various flags indicating (among other things) which options we will |
76 | * recognise. |
77 | */ |
78 | unsigned int flags; |
79 | /* Prefix and length of commands */ |
80 | char *prefix; |
81 | size_t prefixlen; |
82 | /* SSL_CTX or SSL structure to perform operations on */ |
83 | SSL_CTX *ctx; |
84 | SSL *ssl; |
85 | /* Pointer to SSL or SSL_CTX options field or NULL if none */ |
86 | uint32_t *poptions; |
87 | /* Certificate filenames for each type */ |
88 | char *cert_filename[SSL_PKEY_NUM]; |
89 | /* Pointer to SSL or SSL_CTX cert_flags or NULL if none */ |
90 | uint32_t *pcert_flags; |
91 | /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */ |
92 | uint32_t *pvfy_flags; |
93 | /* Pointer to SSL or SSL_CTX min_version field or NULL if none */ |
94 | int *min_version; |
95 | /* Pointer to SSL or SSL_CTX max_version field or NULL if none */ |
96 | int *max_version; |
97 | /* Current flag table being worked on */ |
98 | const ssl_flag_tbl *tbl; |
99 | /* Size of table */ |
100 | size_t ntbl; |
101 | /* Client CA names */ |
102 | STACK_OF(X509_NAME) *canames; |
103 | }; |
104 | |
105 | static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags, |
106 | unsigned long option_value, int onoff) |
107 | { |
108 | uint32_t *pflags; |
109 | if (cctx->poptions == NULL) |
110 | return; |
111 | if (name_flags & SSL_TFLAG_INV) |
112 | onoff ^= 1; |
113 | switch (name_flags & SSL_TFLAG_TYPE_MASK) { |
114 | |
115 | case SSL_TFLAG_CERT: |
116 | pflags = cctx->pcert_flags; |
117 | break; |
118 | |
119 | case SSL_TFLAG_VFY: |
120 | pflags = cctx->pvfy_flags; |
121 | break; |
122 | |
123 | case SSL_TFLAG_OPTION: |
124 | pflags = cctx->poptions; |
125 | break; |
126 | |
127 | default: |
128 | return; |
129 | |
130 | } |
131 | if (onoff) |
132 | *pflags |= option_value; |
133 | else |
134 | *pflags &= ~option_value; |
135 | } |
136 | |
137 | static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, |
138 | const char *name, int namelen, int onoff) |
139 | { |
140 | /* If name not relevant for context skip */ |
141 | if (!(cctx->flags & tbl->name_flags & SSL_TFLAG_BOTH)) |
142 | return 0; |
143 | if (namelen == -1) { |
144 | if (strcmp(tbl->name, name)) |
145 | return 0; |
146 | } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) |
147 | return 0; |
148 | ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); |
149 | return 1; |
150 | } |
151 | |
152 | static int ssl_set_option_list(const char *elem, int len, void *usr) |
153 | { |
154 | SSL_CONF_CTX *cctx = usr; |
155 | size_t i; |
156 | const ssl_flag_tbl *tbl; |
157 | int onoff = 1; |
158 | /* |
159 | * len == -1 indicates not being called in list context, just for single |
160 | * command line switches, so don't allow +, -. |
161 | */ |
162 | if (elem == NULL) |
163 | return 0; |
164 | if (len != -1) { |
165 | if (*elem == '+') { |
166 | elem++; |
167 | len--; |
168 | onoff = 1; |
169 | } else if (*elem == '-') { |
170 | elem++; |
171 | len--; |
172 | onoff = 0; |
173 | } |
174 | } |
175 | for (i = 0, tbl = cctx->tbl; i < cctx->ntbl; i++, tbl++) { |
176 | if (ssl_match_option(cctx, tbl, elem, len, onoff)) |
177 | return 1; |
178 | } |
179 | return 0; |
180 | } |
181 | |
182 | /* Set supported signature algorithms */ |
183 | static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
184 | { |
185 | int rv; |
186 | if (cctx->ssl) |
187 | rv = SSL_set1_sigalgs_list(cctx->ssl, value); |
188 | /* NB: ctx == NULL performs syntax checking only */ |
189 | else |
190 | rv = SSL_CTX_set1_sigalgs_list(cctx->ctx, value); |
191 | return rv > 0; |
192 | } |
193 | |
194 | /* Set supported client signature algorithms */ |
195 | static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value) |
196 | { |
197 | int rv; |
198 | if (cctx->ssl) |
199 | rv = SSL_set1_client_sigalgs_list(cctx->ssl, value); |
200 | /* NB: ctx == NULL performs syntax checking only */ |
201 | else |
202 | rv = SSL_CTX_set1_client_sigalgs_list(cctx->ctx, value); |
203 | return rv > 0; |
204 | } |
205 | |
206 | static int cmd_Groups(SSL_CONF_CTX *cctx, const char *value) |
207 | { |
208 | int rv; |
209 | if (cctx->ssl) |
210 | rv = SSL_set1_groups_list(cctx->ssl, value); |
211 | /* NB: ctx == NULL performs syntax checking only */ |
212 | else |
213 | rv = SSL_CTX_set1_groups_list(cctx->ctx, value); |
214 | return rv > 0; |
215 | } |
216 | |
217 | /* This is the old name for cmd_Groups - retained for backwards compatibility */ |
218 | static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) |
219 | { |
220 | return cmd_Groups(cctx, value); |
221 | } |
222 | |
223 | #ifndef OPENSSL_NO_EC |
224 | /* ECDH temporary parameters */ |
225 | static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) |
226 | { |
227 | int rv = 1; |
228 | int nid; |
229 | |
230 | /* Ignore values supported by 1.0.2 for the automatic selection */ |
231 | if ((cctx->flags & SSL_CONF_FLAG_FILE) |
232 | && (strcasecmp(value, "+automatic" ) == 0 |
233 | || strcasecmp(value, "automatic" ) == 0)) |
234 | return 1; |
235 | if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && |
236 | strcmp(value, "auto" ) == 0) |
237 | return 1; |
238 | |
239 | nid = EC_curve_nist2nid(value); |
240 | if (nid == NID_undef) |
241 | nid = OBJ_sn2nid(value); |
242 | if (nid == 0) |
243 | return 0; |
244 | |
245 | if (cctx->ctx) |
246 | rv = SSL_CTX_set1_groups(cctx->ctx, &nid, 1); |
247 | else if (cctx->ssl) |
248 | rv = SSL_set1_groups(cctx->ssl, &nid, 1); |
249 | |
250 | return rv > 0; |
251 | } |
252 | #endif |
253 | static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) |
254 | { |
255 | int rv = 1; |
256 | |
257 | if (cctx->ctx) |
258 | rv = SSL_CTX_set_cipher_list(cctx->ctx, value); |
259 | if (cctx->ssl) |
260 | rv = SSL_set_cipher_list(cctx->ssl, value); |
261 | return rv > 0; |
262 | } |
263 | |
264 | static int cmd_Ciphersuites(SSL_CONF_CTX *cctx, const char *value) |
265 | { |
266 | int rv = 1; |
267 | |
268 | if (cctx->ctx) |
269 | rv = SSL_CTX_set_ciphersuites(cctx->ctx, value); |
270 | if (cctx->ssl) |
271 | rv = SSL_set_ciphersuites(cctx->ssl, value); |
272 | return rv > 0; |
273 | } |
274 | |
275 | static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) |
276 | { |
277 | static const ssl_flag_tbl ssl_protocol_list[] = { |
278 | SSL_FLAG_TBL_INV("ALL" , SSL_OP_NO_SSL_MASK), |
279 | SSL_FLAG_TBL_INV("SSLv2" , SSL_OP_NO_SSLv2), |
280 | SSL_FLAG_TBL_INV("SSLv3" , SSL_OP_NO_SSLv3), |
281 | SSL_FLAG_TBL_INV("TLSv1" , SSL_OP_NO_TLSv1), |
282 | SSL_FLAG_TBL_INV("TLSv1.1" , SSL_OP_NO_TLSv1_1), |
283 | SSL_FLAG_TBL_INV("TLSv1.2" , SSL_OP_NO_TLSv1_2), |
284 | SSL_FLAG_TBL_INV("TLSv1.3" , SSL_OP_NO_TLSv1_3), |
285 | SSL_FLAG_TBL_INV("DTLSv1" , SSL_OP_NO_DTLSv1), |
286 | SSL_FLAG_TBL_INV("DTLSv1.2" , SSL_OP_NO_DTLSv1_2) |
287 | }; |
288 | cctx->tbl = ssl_protocol_list; |
289 | cctx->ntbl = OSSL_NELEM(ssl_protocol_list); |
290 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
291 | } |
292 | |
293 | /* |
294 | * protocol_from_string - converts a protocol version string to a number |
295 | * |
296 | * Returns -1 on failure or the version on success |
297 | */ |
298 | static int protocol_from_string(const char *value) |
299 | { |
300 | struct protocol_versions { |
301 | const char *name; |
302 | int version; |
303 | }; |
304 | static const struct protocol_versions versions[] = { |
305 | {"None" , 0}, |
306 | {"SSLv3" , SSL3_VERSION}, |
307 | {"TLSv1" , TLS1_VERSION}, |
308 | {"TLSv1.1" , TLS1_1_VERSION}, |
309 | {"TLSv1.2" , TLS1_2_VERSION}, |
310 | {"TLSv1.3" , TLS1_3_VERSION}, |
311 | {"DTLSv1" , DTLS1_VERSION}, |
312 | {"DTLSv1.2" , DTLS1_2_VERSION} |
313 | }; |
314 | size_t i; |
315 | size_t n = OSSL_NELEM(versions); |
316 | |
317 | for (i = 0; i < n; i++) |
318 | if (strcmp(versions[i].name, value) == 0) |
319 | return versions[i].version; |
320 | return -1; |
321 | } |
322 | |
323 | static int min_max_proto(SSL_CONF_CTX *cctx, const char *value, int *bound) |
324 | { |
325 | int method_version; |
326 | int new_version; |
327 | |
328 | if (cctx->ctx != NULL) |
329 | method_version = cctx->ctx->method->version; |
330 | else if (cctx->ssl != NULL) |
331 | method_version = cctx->ssl->ctx->method->version; |
332 | else |
333 | return 0; |
334 | if ((new_version = protocol_from_string(value)) < 0) |
335 | return 0; |
336 | return ssl_set_version_bound(method_version, new_version, bound); |
337 | } |
338 | |
339 | /* |
340 | * cmd_MinProtocol - Set min protocol version |
341 | * @cctx: config structure to save settings in |
342 | * @value: The min protocol version in string form |
343 | * |
344 | * Returns 1 on success and 0 on failure. |
345 | */ |
346 | static int cmd_MinProtocol(SSL_CONF_CTX *cctx, const char *value) |
347 | { |
348 | return min_max_proto(cctx, value, cctx->min_version); |
349 | } |
350 | |
351 | /* |
352 | * cmd_MaxProtocol - Set max protocol version |
353 | * @cctx: config structure to save settings in |
354 | * @value: The max protocol version in string form |
355 | * |
356 | * Returns 1 on success and 0 on failure. |
357 | */ |
358 | static int cmd_MaxProtocol(SSL_CONF_CTX *cctx, const char *value) |
359 | { |
360 | return min_max_proto(cctx, value, cctx->max_version); |
361 | } |
362 | |
363 | static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) |
364 | { |
365 | static const ssl_flag_tbl ssl_option_list[] = { |
366 | SSL_FLAG_TBL_INV("SessionTicket" , SSL_OP_NO_TICKET), |
367 | SSL_FLAG_TBL_INV("EmptyFragments" , |
368 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS), |
369 | SSL_FLAG_TBL("Bugs" , SSL_OP_ALL), |
370 | SSL_FLAG_TBL_INV("Compression" , SSL_OP_NO_COMPRESSION), |
371 | SSL_FLAG_TBL_SRV("ServerPreference" , SSL_OP_CIPHER_SERVER_PREFERENCE), |
372 | SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation" , |
373 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION), |
374 | SSL_FLAG_TBL_SRV("DHSingle" , SSL_OP_SINGLE_DH_USE), |
375 | SSL_FLAG_TBL_SRV("ECDHSingle" , SSL_OP_SINGLE_ECDH_USE), |
376 | SSL_FLAG_TBL("UnsafeLegacyRenegotiation" , |
377 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION), |
378 | SSL_FLAG_TBL_INV("EncryptThenMac" , SSL_OP_NO_ENCRYPT_THEN_MAC), |
379 | SSL_FLAG_TBL("NoRenegotiation" , SSL_OP_NO_RENEGOTIATION), |
380 | SSL_FLAG_TBL("AllowNoDHEKEX" , SSL_OP_ALLOW_NO_DHE_KEX), |
381 | SSL_FLAG_TBL("PrioritizeChaCha" , SSL_OP_PRIORITIZE_CHACHA), |
382 | SSL_FLAG_TBL("MiddleboxCompat" , SSL_OP_ENABLE_MIDDLEBOX_COMPAT), |
383 | SSL_FLAG_TBL_INV("AntiReplay" , SSL_OP_NO_ANTI_REPLAY), |
384 | SSL_FLAG_TBL_INV("ExtendedMasterSecret" , SSL_OP_NO_EXTENDED_MASTER_SECRET) |
385 | }; |
386 | if (value == NULL) |
387 | return -3; |
388 | cctx->tbl = ssl_option_list; |
389 | cctx->ntbl = OSSL_NELEM(ssl_option_list); |
390 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
391 | } |
392 | |
393 | static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value) |
394 | { |
395 | static const ssl_flag_tbl ssl_vfy_list[] = { |
396 | SSL_FLAG_VFY_CLI("Peer" , SSL_VERIFY_PEER), |
397 | SSL_FLAG_VFY_SRV("Request" , SSL_VERIFY_PEER), |
398 | SSL_FLAG_VFY_SRV("Require" , |
399 | SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), |
400 | SSL_FLAG_VFY_SRV("Once" , SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), |
401 | SSL_FLAG_VFY_SRV("RequestPostHandshake" , |
402 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE), |
403 | SSL_FLAG_VFY_SRV("RequirePostHandshake" , |
404 | SSL_VERIFY_PEER | SSL_VERIFY_POST_HANDSHAKE | |
405 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), |
406 | }; |
407 | if (value == NULL) |
408 | return -3; |
409 | cctx->tbl = ssl_vfy_list; |
410 | cctx->ntbl = OSSL_NELEM(ssl_vfy_list); |
411 | return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx); |
412 | } |
413 | |
414 | static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value) |
415 | { |
416 | int rv = 1; |
417 | CERT *c = NULL; |
418 | if (cctx->ctx) { |
419 | rv = SSL_CTX_use_certificate_chain_file(cctx->ctx, value); |
420 | c = cctx->ctx->cert; |
421 | } |
422 | if (cctx->ssl) { |
423 | rv = SSL_use_certificate_chain_file(cctx->ssl, value); |
424 | c = cctx->ssl->cert; |
425 | } |
426 | if (rv > 0 && c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { |
427 | char **pfilename = &cctx->cert_filename[c->key - c->pkeys]; |
428 | OPENSSL_free(*pfilename); |
429 | *pfilename = OPENSSL_strdup(value); |
430 | if (*pfilename == NULL) |
431 | rv = 0; |
432 | } |
433 | |
434 | return rv > 0; |
435 | } |
436 | |
437 | static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) |
438 | { |
439 | int rv = 1; |
440 | if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) |
441 | return -2; |
442 | if (cctx->ctx) |
443 | rv = SSL_CTX_use_PrivateKey_file(cctx->ctx, value, SSL_FILETYPE_PEM); |
444 | if (cctx->ssl) |
445 | rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); |
446 | return rv > 0; |
447 | } |
448 | |
449 | static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value) |
450 | { |
451 | int rv = 1; |
452 | if (cctx->ctx) |
453 | rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value); |
454 | return rv > 0; |
455 | } |
456 | |
457 | static int do_store(SSL_CONF_CTX *cctx, |
458 | const char *CAfile, const char *CApath, const char *CAstore, |
459 | int verify_store) |
460 | { |
461 | CERT *cert; |
462 | X509_STORE **st; |
463 | |
464 | if (cctx->ctx) |
465 | cert = cctx->ctx->cert; |
466 | else if (cctx->ssl) |
467 | cert = cctx->ssl->cert; |
468 | else |
469 | return 1; |
470 | st = verify_store ? &cert->verify_store : &cert->chain_store; |
471 | if (*st == NULL) { |
472 | *st = X509_STORE_new(); |
473 | if (*st == NULL) |
474 | return 0; |
475 | } |
476 | |
477 | if (CAfile != NULL && !X509_STORE_load_file(*st, CAfile)) |
478 | return 0; |
479 | if (CApath != NULL && !X509_STORE_load_path(*st, CApath)) |
480 | return 0; |
481 | if (CAstore != NULL && !X509_STORE_load_store(*st, CAstore)) |
482 | return 0; |
483 | return 1; |
484 | } |
485 | |
486 | static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value) |
487 | { |
488 | return do_store(cctx, NULL, value, NULL, 0); |
489 | } |
490 | |
491 | static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value) |
492 | { |
493 | return do_store(cctx, value, NULL, NULL, 0); |
494 | } |
495 | |
496 | static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value) |
497 | { |
498 | return do_store(cctx, NULL, NULL, value, 0); |
499 | } |
500 | |
501 | static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value) |
502 | { |
503 | return do_store(cctx, NULL, value, NULL, 1); |
504 | } |
505 | |
506 | static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value) |
507 | { |
508 | return do_store(cctx, value, NULL, NULL, 1); |
509 | } |
510 | |
511 | static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value) |
512 | { |
513 | return do_store(cctx, NULL, NULL, value, 1); |
514 | } |
515 | |
516 | static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value) |
517 | { |
518 | if (cctx->canames == NULL) |
519 | cctx->canames = sk_X509_NAME_new_null(); |
520 | if (cctx->canames == NULL) |
521 | return 0; |
522 | return SSL_add_file_cert_subjects_to_stack(cctx->canames, value); |
523 | } |
524 | |
525 | static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value) |
526 | { |
527 | return cmd_RequestCAFile(cctx, value); |
528 | } |
529 | |
530 | static int cmd_RequestCAPath(SSL_CONF_CTX *cctx, const char *value) |
531 | { |
532 | if (cctx->canames == NULL) |
533 | cctx->canames = sk_X509_NAME_new_null(); |
534 | if (cctx->canames == NULL) |
535 | return 0; |
536 | return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value); |
537 | } |
538 | |
539 | static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value) |
540 | { |
541 | return cmd_RequestCAPath(cctx, value); |
542 | } |
543 | |
544 | static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value) |
545 | { |
546 | if (cctx->canames == NULL) |
547 | cctx->canames = sk_X509_NAME_new_null(); |
548 | if (cctx->canames == NULL) |
549 | return 0; |
550 | return SSL_add_store_cert_subjects_to_stack(cctx->canames, value); |
551 | } |
552 | |
553 | static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value) |
554 | { |
555 | return cmd_RequestCAStore(cctx, value); |
556 | } |
557 | |
558 | #ifndef OPENSSL_NO_DH |
559 | static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) |
560 | { |
561 | int rv = 0; |
562 | DH *dh = NULL; |
563 | BIO *in = NULL; |
564 | if (cctx->ctx || cctx->ssl) { |
565 | in = BIO_new(BIO_s_file()); |
566 | if (in == NULL) |
567 | goto end; |
568 | if (BIO_read_filename(in, value) <= 0) |
569 | goto end; |
570 | dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); |
571 | if (dh == NULL) |
572 | goto end; |
573 | } else |
574 | return 1; |
575 | if (cctx->ctx) |
576 | rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); |
577 | if (cctx->ssl) |
578 | rv = SSL_set_tmp_dh(cctx->ssl, dh); |
579 | end: |
580 | DH_free(dh); |
581 | BIO_free(in); |
582 | return rv > 0; |
583 | } |
584 | #endif |
585 | |
586 | static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) |
587 | { |
588 | int rv = 0; |
589 | int block_size = atoi(value); |
590 | |
591 | /* |
592 | * All we care about is a non-negative value, |
593 | * the setters check the range |
594 | */ |
595 | if (block_size >= 0) { |
596 | if (cctx->ctx) |
597 | rv = SSL_CTX_set_block_padding(cctx->ctx, block_size); |
598 | if (cctx->ssl) |
599 | rv = SSL_set_block_padding(cctx->ssl, block_size); |
600 | } |
601 | return rv; |
602 | } |
603 | |
604 | |
605 | static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) |
606 | { |
607 | int rv = 0; |
608 | int num_tickets = atoi(value); |
609 | |
610 | if (num_tickets >= 0) { |
611 | if (cctx->ctx) |
612 | rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); |
613 | if (cctx->ssl) |
614 | rv = SSL_set_num_tickets(cctx->ssl, num_tickets); |
615 | } |
616 | return rv; |
617 | } |
618 | |
619 | typedef struct { |
620 | int (*cmd) (SSL_CONF_CTX *cctx, const char *value); |
621 | const char *str_file; |
622 | const char *str_cmdline; |
623 | unsigned short flags; |
624 | unsigned short value_type; |
625 | } ssl_conf_cmd_tbl; |
626 | |
627 | /* Table of supported parameters */ |
628 | |
629 | #define SSL_CONF_CMD(name, cmdopt, flags, type) \ |
630 | {cmd_##name, #name, cmdopt, flags, type} |
631 | |
632 | #define SSL_CONF_CMD_STRING(name, cmdopt, flags) \ |
633 | SSL_CONF_CMD(name, cmdopt, flags, SSL_CONF_TYPE_STRING) |
634 | |
635 | #define SSL_CONF_CMD_SWITCH(name, flags) \ |
636 | {0, NULL, name, flags, SSL_CONF_TYPE_NONE} |
637 | |
638 | /* See apps/apps.h if you change this table. */ |
639 | static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { |
640 | SSL_CONF_CMD_SWITCH("no_ssl3" , 0), |
641 | SSL_CONF_CMD_SWITCH("no_tls1" , 0), |
642 | SSL_CONF_CMD_SWITCH("no_tls1_1" , 0), |
643 | SSL_CONF_CMD_SWITCH("no_tls1_2" , 0), |
644 | SSL_CONF_CMD_SWITCH("no_tls1_3" , 0), |
645 | SSL_CONF_CMD_SWITCH("bugs" , 0), |
646 | SSL_CONF_CMD_SWITCH("no_comp" , 0), |
647 | SSL_CONF_CMD_SWITCH("comp" , 0), |
648 | SSL_CONF_CMD_SWITCH("ecdh_single" , SSL_CONF_FLAG_SERVER), |
649 | SSL_CONF_CMD_SWITCH("no_ticket" , 0), |
650 | SSL_CONF_CMD_SWITCH("serverpref" , SSL_CONF_FLAG_SERVER), |
651 | SSL_CONF_CMD_SWITCH("legacy_renegotiation" , 0), |
652 | SSL_CONF_CMD_SWITCH("legacy_server_connect" , SSL_CONF_FLAG_SERVER), |
653 | SSL_CONF_CMD_SWITCH("no_renegotiation" , 0), |
654 | SSL_CONF_CMD_SWITCH("no_resumption_on_reneg" , SSL_CONF_FLAG_SERVER), |
655 | SSL_CONF_CMD_SWITCH("no_legacy_server_connect" , SSL_CONF_FLAG_SERVER), |
656 | SSL_CONF_CMD_SWITCH("allow_no_dhe_kex" , 0), |
657 | SSL_CONF_CMD_SWITCH("prioritize_chacha" , SSL_CONF_FLAG_SERVER), |
658 | SSL_CONF_CMD_SWITCH("strict" , 0), |
659 | SSL_CONF_CMD_SWITCH("no_middlebox" , 0), |
660 | SSL_CONF_CMD_SWITCH("anti_replay" , SSL_CONF_FLAG_SERVER), |
661 | SSL_CONF_CMD_SWITCH("no_anti_replay" , SSL_CONF_FLAG_SERVER), |
662 | SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs" , 0), |
663 | SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs" , 0), |
664 | SSL_CONF_CMD_STRING(Curves, "curves" , 0), |
665 | SSL_CONF_CMD_STRING(Groups, "groups" , 0), |
666 | #ifndef OPENSSL_NO_EC |
667 | SSL_CONF_CMD_STRING(ECDHParameters, "named_curve" , SSL_CONF_FLAG_SERVER), |
668 | #endif |
669 | SSL_CONF_CMD_STRING(CipherString, "cipher" , 0), |
670 | SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites" , 0), |
671 | SSL_CONF_CMD_STRING(Protocol, NULL, 0), |
672 | SSL_CONF_CMD_STRING(MinProtocol, "min_protocol" , 0), |
673 | SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol" , 0), |
674 | SSL_CONF_CMD_STRING(Options, NULL, 0), |
675 | SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), |
676 | SSL_CONF_CMD(Certificate, "cert" , SSL_CONF_FLAG_CERTIFICATE, |
677 | SSL_CONF_TYPE_FILE), |
678 | SSL_CONF_CMD(PrivateKey, "key" , SSL_CONF_FLAG_CERTIFICATE, |
679 | SSL_CONF_TYPE_FILE), |
680 | SSL_CONF_CMD(ServerInfoFile, NULL, |
681 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
682 | SSL_CONF_TYPE_FILE), |
683 | SSL_CONF_CMD(ChainCAPath, "chainCApath" , SSL_CONF_FLAG_CERTIFICATE, |
684 | SSL_CONF_TYPE_DIR), |
685 | SSL_CONF_CMD(ChainCAFile, "chainCAfile" , SSL_CONF_FLAG_CERTIFICATE, |
686 | SSL_CONF_TYPE_FILE), |
687 | SSL_CONF_CMD(ChainCAStore, "chainCAstore" , SSL_CONF_FLAG_CERTIFICATE, |
688 | SSL_CONF_TYPE_STORE), |
689 | SSL_CONF_CMD(VerifyCAPath, "verifyCApath" , SSL_CONF_FLAG_CERTIFICATE, |
690 | SSL_CONF_TYPE_DIR), |
691 | SSL_CONF_CMD(VerifyCAFile, "verifyCAfile" , SSL_CONF_FLAG_CERTIFICATE, |
692 | SSL_CONF_TYPE_FILE), |
693 | SSL_CONF_CMD(VerifyCAStore, "verifyCAstore" , SSL_CONF_FLAG_CERTIFICATE, |
694 | SSL_CONF_TYPE_STORE), |
695 | SSL_CONF_CMD(RequestCAFile, "requestCAFile" , SSL_CONF_FLAG_CERTIFICATE, |
696 | SSL_CONF_TYPE_FILE), |
697 | SSL_CONF_CMD(ClientCAFile, NULL, |
698 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
699 | SSL_CONF_TYPE_FILE), |
700 | SSL_CONF_CMD(RequestCAPath, NULL, SSL_CONF_FLAG_CERTIFICATE, |
701 | SSL_CONF_TYPE_DIR), |
702 | SSL_CONF_CMD(ClientCAPath, NULL, |
703 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
704 | SSL_CONF_TYPE_DIR), |
705 | SSL_CONF_CMD(RequestCAStore, "requestCAStore" , SSL_CONF_FLAG_CERTIFICATE, |
706 | SSL_CONF_TYPE_STORE), |
707 | SSL_CONF_CMD(ClientCAStore, NULL, |
708 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
709 | SSL_CONF_TYPE_STORE), |
710 | #ifndef OPENSSL_NO_DH |
711 | SSL_CONF_CMD(DHParameters, "dhparam" , |
712 | SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, |
713 | SSL_CONF_TYPE_FILE), |
714 | #endif |
715 | SSL_CONF_CMD_STRING(RecordPadding, "record_padding" , 0), |
716 | SSL_CONF_CMD_STRING(NumTickets, "num_tickets" , SSL_CONF_FLAG_SERVER), |
717 | }; |
718 | |
719 | /* Supported switches: must match order of switches in ssl_conf_cmds */ |
720 | static const ssl_switch_tbl ssl_cmd_switches[] = { |
721 | {SSL_OP_NO_SSLv3, 0}, /* no_ssl3 */ |
722 | {SSL_OP_NO_TLSv1, 0}, /* no_tls1 */ |
723 | {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ |
724 | {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ |
725 | {SSL_OP_NO_TLSv1_3, 0}, /* no_tls1_3 */ |
726 | {SSL_OP_ALL, 0}, /* bugs */ |
727 | {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ |
728 | {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */ |
729 | {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ |
730 | {SSL_OP_NO_TICKET, 0}, /* no_ticket */ |
731 | {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ |
732 | /* legacy_renegotiation */ |
733 | {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, |
734 | /* legacy_server_connect */ |
735 | {SSL_OP_LEGACY_SERVER_CONNECT, 0}, |
736 | /* no_renegotiation */ |
737 | {SSL_OP_NO_RENEGOTIATION, 0}, |
738 | /* no_resumption_on_reneg */ |
739 | {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION, 0}, |
740 | /* no_legacy_server_connect */ |
741 | {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, |
742 | /* allow_no_dhe_kex */ |
743 | {SSL_OP_ALLOW_NO_DHE_KEX, 0}, |
744 | /* chacha reprioritization */ |
745 | {SSL_OP_PRIORITIZE_CHACHA, 0}, |
746 | {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ |
747 | /* no_middlebox */ |
748 | {SSL_OP_ENABLE_MIDDLEBOX_COMPAT, SSL_TFLAG_INV}, |
749 | /* anti_replay */ |
750 | {SSL_OP_NO_ANTI_REPLAY, SSL_TFLAG_INV}, |
751 | /* no_anti_replay */ |
752 | {SSL_OP_NO_ANTI_REPLAY, 0}, |
753 | }; |
754 | |
755 | static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) |
756 | { |
757 | if (pcmd == NULL || *pcmd == NULL) |
758 | return 0; |
759 | /* If a prefix is set, check and skip */ |
760 | if (cctx->prefix) { |
761 | if (strlen(*pcmd) <= cctx->prefixlen) |
762 | return 0; |
763 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE && |
764 | strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
765 | return 0; |
766 | if (cctx->flags & SSL_CONF_FLAG_FILE && |
767 | strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) |
768 | return 0; |
769 | *pcmd += cctx->prefixlen; |
770 | } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { |
771 | if (**pcmd != '-' || !(*pcmd)[1]) |
772 | return 0; |
773 | *pcmd += 1; |
774 | } |
775 | return 1; |
776 | } |
777 | |
778 | /* Determine if a command is allowed according to cctx flags */ |
779 | static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t) |
780 | { |
781 | unsigned int tfl = t->flags; |
782 | unsigned int cfl = cctx->flags; |
783 | if ((tfl & SSL_CONF_FLAG_SERVER) && !(cfl & SSL_CONF_FLAG_SERVER)) |
784 | return 0; |
785 | if ((tfl & SSL_CONF_FLAG_CLIENT) && !(cfl & SSL_CONF_FLAG_CLIENT)) |
786 | return 0; |
787 | if ((tfl & SSL_CONF_FLAG_CERTIFICATE) |
788 | && !(cfl & SSL_CONF_FLAG_CERTIFICATE)) |
789 | return 0; |
790 | return 1; |
791 | } |
792 | |
793 | static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, |
794 | const char *cmd) |
795 | { |
796 | const ssl_conf_cmd_tbl *t; |
797 | size_t i; |
798 | if (cmd == NULL) |
799 | return NULL; |
800 | |
801 | /* Look for matching parameter name in table */ |
802 | for (i = 0, t = ssl_conf_cmds; i < OSSL_NELEM(ssl_conf_cmds); i++, t++) { |
803 | if (ssl_conf_cmd_allowed(cctx, t)) { |
804 | if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { |
805 | if (t->str_cmdline && strcmp(t->str_cmdline, cmd) == 0) |
806 | return t; |
807 | } |
808 | if (cctx->flags & SSL_CONF_FLAG_FILE) { |
809 | if (t->str_file && strcasecmp(t->str_file, cmd) == 0) |
810 | return t; |
811 | } |
812 | } |
813 | } |
814 | return NULL; |
815 | } |
816 | |
817 | static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd) |
818 | { |
819 | /* Find index of command in table */ |
820 | size_t idx = cmd - ssl_conf_cmds; |
821 | const ssl_switch_tbl *scmd; |
822 | /* Sanity check index */ |
823 | if (idx >= OSSL_NELEM(ssl_cmd_switches)) |
824 | return 0; |
825 | /* Obtain switches entry with same index */ |
826 | scmd = ssl_cmd_switches + idx; |
827 | ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1); |
828 | return 1; |
829 | } |
830 | |
831 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) |
832 | { |
833 | const ssl_conf_cmd_tbl *runcmd; |
834 | if (cmd == NULL) { |
835 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_INVALID_NULL_CMD_NAME); |
836 | return 0; |
837 | } |
838 | |
839 | if (!ssl_conf_cmd_skip_prefix(cctx, &cmd)) |
840 | return -2; |
841 | |
842 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); |
843 | |
844 | if (runcmd) { |
845 | int rv; |
846 | if (runcmd->value_type == SSL_CONF_TYPE_NONE) { |
847 | return ctrl_switch_option(cctx, runcmd); |
848 | } |
849 | if (value == NULL) |
850 | return -3; |
851 | rv = runcmd->cmd(cctx, value); |
852 | if (rv > 0) |
853 | return 2; |
854 | if (rv == -2) |
855 | return -2; |
856 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { |
857 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_BAD_VALUE); |
858 | ERR_add_error_data(4, "cmd=" , cmd, ", value=" , value); |
859 | } |
860 | return 0; |
861 | } |
862 | |
863 | if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS) { |
864 | SSLerr(SSL_F_SSL_CONF_CMD, SSL_R_UNKNOWN_CMD_NAME); |
865 | ERR_add_error_data(2, "cmd=" , cmd); |
866 | } |
867 | |
868 | return -2; |
869 | } |
870 | |
871 | int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) |
872 | { |
873 | int rv; |
874 | const char *arg = NULL, *argn; |
875 | |
876 | if (pargc != NULL && *pargc == 0) |
877 | return 0; |
878 | if (pargc == NULL || *pargc > 0) |
879 | arg = **pargv; |
880 | if (arg == NULL) |
881 | return 0; |
882 | if (pargc == NULL || *pargc > 1) |
883 | argn = (*pargv)[1]; |
884 | else |
885 | argn = NULL; |
886 | cctx->flags &= ~SSL_CONF_FLAG_FILE; |
887 | cctx->flags |= SSL_CONF_FLAG_CMDLINE; |
888 | rv = SSL_CONF_cmd(cctx, arg, argn); |
889 | if (rv > 0) { |
890 | /* Success: update pargc, pargv */ |
891 | (*pargv) += rv; |
892 | if (pargc) |
893 | (*pargc) -= rv; |
894 | return rv; |
895 | } |
896 | /* Unknown switch: indicate no arguments processed */ |
897 | if (rv == -2) |
898 | return 0; |
899 | /* Some error occurred processing command, return fatal error */ |
900 | if (rv == 0) |
901 | return -1; |
902 | return rv; |
903 | } |
904 | |
905 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) |
906 | { |
907 | if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { |
908 | const ssl_conf_cmd_tbl *runcmd; |
909 | runcmd = ssl_conf_cmd_lookup(cctx, cmd); |
910 | if (runcmd) |
911 | return runcmd->value_type; |
912 | } |
913 | return SSL_CONF_TYPE_UNKNOWN; |
914 | } |
915 | |
916 | SSL_CONF_CTX *SSL_CONF_CTX_new(void) |
917 | { |
918 | SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); |
919 | |
920 | return ret; |
921 | } |
922 | |
923 | int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx) |
924 | { |
925 | /* See if any certificates are missing private keys */ |
926 | size_t i; |
927 | CERT *c = NULL; |
928 | if (cctx->ctx) |
929 | c = cctx->ctx->cert; |
930 | else if (cctx->ssl) |
931 | c = cctx->ssl->cert; |
932 | if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) { |
933 | for (i = 0; i < SSL_PKEY_NUM; i++) { |
934 | const char *p = cctx->cert_filename[i]; |
935 | /* |
936 | * If missing private key try to load one from certificate file |
937 | */ |
938 | if (p && !c->pkeys[i].privatekey) { |
939 | if (!cmd_PrivateKey(cctx, p)) |
940 | return 0; |
941 | } |
942 | } |
943 | } |
944 | if (cctx->canames) { |
945 | if (cctx->ssl) |
946 | SSL_set0_CA_list(cctx->ssl, cctx->canames); |
947 | else if (cctx->ctx) |
948 | SSL_CTX_set0_CA_list(cctx->ctx, cctx->canames); |
949 | else |
950 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
951 | cctx->canames = NULL; |
952 | } |
953 | return 1; |
954 | } |
955 | |
956 | void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx) |
957 | { |
958 | if (cctx) { |
959 | size_t i; |
960 | for (i = 0; i < SSL_PKEY_NUM; i++) |
961 | OPENSSL_free(cctx->cert_filename[i]); |
962 | OPENSSL_free(cctx->prefix); |
963 | sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free); |
964 | OPENSSL_free(cctx); |
965 | } |
966 | } |
967 | |
968 | unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags) |
969 | { |
970 | cctx->flags |= flags; |
971 | return cctx->flags; |
972 | } |
973 | |
974 | unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags) |
975 | { |
976 | cctx->flags &= ~flags; |
977 | return cctx->flags; |
978 | } |
979 | |
980 | int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre) |
981 | { |
982 | char *tmp = NULL; |
983 | if (pre) { |
984 | tmp = OPENSSL_strdup(pre); |
985 | if (tmp == NULL) |
986 | return 0; |
987 | } |
988 | OPENSSL_free(cctx->prefix); |
989 | cctx->prefix = tmp; |
990 | if (tmp) |
991 | cctx->prefixlen = strlen(tmp); |
992 | else |
993 | cctx->prefixlen = 0; |
994 | return 1; |
995 | } |
996 | |
997 | void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl) |
998 | { |
999 | cctx->ssl = ssl; |
1000 | cctx->ctx = NULL; |
1001 | if (ssl) { |
1002 | cctx->poptions = &ssl->options; |
1003 | cctx->min_version = &ssl->min_proto_version; |
1004 | cctx->max_version = &ssl->max_proto_version; |
1005 | cctx->pcert_flags = &ssl->cert->cert_flags; |
1006 | cctx->pvfy_flags = &ssl->verify_mode; |
1007 | } else { |
1008 | cctx->poptions = NULL; |
1009 | cctx->min_version = NULL; |
1010 | cctx->max_version = NULL; |
1011 | cctx->pcert_flags = NULL; |
1012 | cctx->pvfy_flags = NULL; |
1013 | } |
1014 | } |
1015 | |
1016 | void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx) |
1017 | { |
1018 | cctx->ctx = ctx; |
1019 | cctx->ssl = NULL; |
1020 | if (ctx) { |
1021 | cctx->poptions = &ctx->options; |
1022 | cctx->min_version = &ctx->min_proto_version; |
1023 | cctx->max_version = &ctx->max_proto_version; |
1024 | cctx->pcert_flags = &ctx->cert->cert_flags; |
1025 | cctx->pvfy_flags = &ctx->verify_mode; |
1026 | } else { |
1027 | cctx->poptions = NULL; |
1028 | cctx->min_version = NULL; |
1029 | cctx->max_version = NULL; |
1030 | cctx->pcert_flags = NULL; |
1031 | cctx->pvfy_flags = NULL; |
1032 | } |
1033 | } |
1034 | |